AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,419
    Location:
    Under a bushel ...
    Thanks to @hjlbx, I had previously added these as vulnerable processes in ERP.
    I do have powershell and vssadmin (not sure if that was default) as User Space Include=Yes after reading other posts here.
    But not sure if it's worth duplicating this exercise in AG for all the other vulnerable processes!
    Edit: Having added these in ERP, I guess it is not necessary to add them to AG at all?
     
    Last edited: Apr 4, 2016
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,419
    Location:
    Under a bushel ...
    Glad this solved your problem. Does uninstalling and reinstalling preserve your settings?
    Edit: @Barb_C Something has definitely changed here with the latest version.
     
    Last edited: Apr 4, 2016
  3. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    They way I understand it, if a guarded app launches a vulnerable process, or, if a malware launches from user-space and then launches a vulnerable process, in both cases the vulnerable process will inherit the guarded app restrictions. So I don't understand why you should need to add them as guarded apps manually.
     
  4. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    AppGuard is silently blocking an app install - PDFill

    I've tried with AG in 'install', 'off' and stopping AG Agent process in task mgr. PDFill installs fine without AG installed.

    what else can be done to shutdown AG when there are conflicts like this?

    **EDIT-- Sorry, it was my EMET settings causing the problem - not AG. My snapshot without AG is also without EMET, but I didn't suspect EMET... my bad
     
    Last edited: Apr 5, 2016
  5. hjlbx

    hjlbx Guest

    *.lnk and certain scripts can bypass AG. There is one video posted here on the thread that shows *.lnk file that bypasses AG using Powershell.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,867
    Is someone using Locked Down?
    If you suspend a protection, the trayicon changes. But if you now rightclick the trayicon, the icon changes to Locked Down.
    It doesn't happen in Protected Mode.
     
  7. guest

    guest Guest

    im using lockdown mode.

    the green icon is just an alert , it is not supposed to stay.
     
  8. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,059
    Yes, it saved them for me.
     
  9. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    Yes, this seems like a bug. The icon should only revert to locked down status when the protection is re-enabled.
     
  10. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    Sorry, it was my EMET settings causing the problem - not AG. My snapshot without AG is also without EMET, but I didn't suspect EMET... my bad
     
  11. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    As far as I know, non-system partition applications are being protected. We ran into an issue with a free-ware ram disk (can't remember which one), but otherwise it should work.

    Correct, if a parent is protected the child is as well.
     
  12. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    I don't think this is a valid exploit. It is likely that this person has changed the default settings of PowerShell execution in order to get this to run. PowerShell is configured to run in its most secure mode by default. In it's most restrictive mode, powershell does not permit scripts to run. If you've changed your PowerShell settings, then we would recommend that you add PowerShell to the Guarded application list.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Hi Barb, Softperfect RAMDisk it was.

    Btw I'm still using it and not going to change it.
     
  14. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Not as smooth as I hoped. The Trusted Publisher's list update is a dilemma though I'm sure it can be handled properly with more work on our part. Many of our policy updates (especially for Tech Fortress) are specifically to add new trusted publishers so we merge the list. Right now we don't have a way of knowing which publishers are new and which might have been deleted so the merge logic just treats the deleted publishers as "new".
     
  15. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks, I'm very tired today and not on top of my game.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Bypassing PowerShell's default execution policy is "trivial" as noted by this: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ and other numerous web articles on the subject. So, I would say it should be added to the Guarded app list by default.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    It still does not address why AG allowed scripts to run. We have always been informed in the past that scripts are not permitted to run in Locked Down Mode. AG also allowed wscript.exe to run in Locked Down Mode when scripts should not be allowed to run. We need to know what expected behavior is in regards to all scripts. We have discussed scripts many times in the past, and we have been informed they should not be able to run in Locked Down Mode. In Medium /Proteced Mode we were informed script execution would be Guarded.

    Powershell is probably one of the most abused windows resources to date. I think it should come on the Guarded Apps List by default. I believe cscript.exe, and wscript.exe should also be on the Guarded Apps List by default if it adds additional mitigation policies that are not already hard coded in the KMD. Almost all of us at Wilders have been adding them to the Guarded Apps List for a long time, and no one has ever experienced any problems that i'm aware of. Is there any benefit in adding cscript.exe, and wscript.exe to the Guarded Apps List? I was informed once before there are policies hard coded in the KMD to handle these scripts. Namely not allowing them in Locked Down Mode, and Guarding there execution in Protected Mode.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Sorry to hear you are tired. We can discuss the bypass tomorrow. We aren't going anywhere.
     
  19. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I still don't understand the wish for adding abused processes as guarded apps by default. The inheritance rule should cover that. Aside from that, explorer.exe and svchost.exe are often abused as well. You want to add them to guarded apps? Bad idea, wouldn't work and inheritance covers them as well.
     
  20. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    The Wscript.exe video was with the older version of AppGuard and wscript protection was one of the enhancements made in 4.3. AppGuard does not permit Power shell scripts to launch from user-space in Locked Down. In this video, there was a short cut to power shell that was extracted from the rar file (not a powershell script). I can't tell from the video what the shortcut was running. Perhaps it used one of the techniques cited by Itman to download a script and place it in C:\windows\temp and then it executed it from there. Anyway, I suspect that you are correct and that if you add PowerShell to the Guard List, the script would only be able to be downloaded to a user-space folder and a script would not be able to run from that folder.
    The hard-coded polices for cscript.exe and wscript.exe were added in 4.3 (the wscript video is using 4.2). These hard-coded policies don't have the affect of Guarding cscript.exe and wscript.exe, but they have the affect of prohibiting the associated scripts from launching from user-space.

    I'll revisit adding PowerShell as a Guarded app with my security expert and we can add in the next release. Still not sure about cscript and wscript (i.e. adding them to the guard list) as there are already policies which we enforce for those scripts.
     
  21. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks. We'll consider it. In the meantime, based on what I'm seeing here it looks like a good idea to add Power Shell to the Guard List (and fortunately that can be done fairly easy with our UI).
     
  22. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Alrighty then. Just got an email from my security guy and now he thinks perhaps that we should consider blocking powershell.exe from running altogether (like we do with schtasks.exe). What do you all think of that?

    BTW, this isn't intuitive, but you can do this by adding the powershell folder to user-space.
     
  23. hjlbx

    hjlbx Guest

    In the first video, he\she is using a *.lnk file to Powershell to get it to execute a file in User Space. At least that is what the video creator states on a Polish security forum.

    In the second video, he\she is demonstrating a bypass using a Work Group and a *.wfs file.
     
  24. Barb_C

    Barb_C Developer

    Joined:
    Jan 7, 2011
    Posts:
    1,234
    Location:
    Virginia
    Thanks! Just stayed up too late watching basketball last night. But it was worth it, my bracket won and I should be getting a sizable jackpot!:isay:
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    The inheritance rule also depends on whether applications are Guarded. Remember, if the Parent is Guarded then it's child will automatically be Guarded as well. Also, Guarded applications are Guarded with many more mitigation policies than none Guarded Applications. Guarded Apps are not permitted to write to the System Space, Program Files, and C:\. , Privacy Mode Protection can be enforced. Guarded apps are blocked from writing to Protected registry Keys, and read/write access to other processes memory.

    Well, you could never add explorer.exe to the Guarded Apps List unless you want an unstable machine. Explorer.exe has to have access to User-space, and System Space. I'm sure there are other reasons, but that immediately came to mind.
     
    Last edited: Apr 5, 2016
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.